b"OFFICE OF INSPECTOR GENERAL\n      for the Millennium Challenge Corporation\n\nAUDIT OF THE MILLENNIUM CHALLENGE\nCORPORATION\xe2\x80\x99S FINANCIAL STATEMENTS,\nINTERNAL CONTROLS, AND COMPLIANCE\nFOR THE PERIOD ENDING\nSEPTEMBER 30, 2012 AND 2011\n\n\nAUDIT REPORT NO. M-000-13-001-C\nNovember 15, 2012\nWASHINGTON, DC\n\n\nFinancial information contained in this report may be privileged. The\nrestrictions of 18 USC 1905 should be considered before any information is\nreleased to the public.\n\x0cOffice of Audit\n for the Millennium Challenge Corporation\n\n\n\n\nNovember 15, 2012\n\n\nMr. Daniel Yohannes\nChief Executive Officer\nMillennium Challenge Corporation\n875 15th Street, NW\nWashington, DC 20005-2203\n\n\nSubject:             Audit of the Millennium Challenge Corporation\xe2\x80\x99s Financial Statements,\n                     Internal Controls, and Compliance for the Period Ending September 30,\n                     2012 and 2011 (Report No. M-000-13-001-C)\n\nDear Mr. Yohannes:\n\nEnclosed is CliftonLarsonAllen LLP\xe2\x80\x99s, final report on the subject audit. The Office of Inspector\nGeneral (OIG) contracted with the independent certified public accounting firm of\nCliftonLarsonAllen LLP, to audit the financial statements of the Millennium Challenge\nCorporation (MCC) for the period ending September 30, 2012. The contract required that the\naudit be performed in accordance with United States Generally Accepted Government Auditing\nStandards, Office of Management and Budget (OMB) Bulletin 07-04 as amended, Audit\nRequirements for Federal Financial Statements, and the GAO/PCIE Financial Audit Manual.\n\nThe Independent Auditors expressed an unqualified opinion on MCC\xe2\x80\x99s FY 2012 Financial\nStatements. The report stated that the financial statements referred to above present fairly, in all\nmaterial respects, the net position of MCC as of September 30, 2012, and its net cost, changes\nin net position and budgetary resources for the fiscal year then ended, in conformity with\naccounting principles generally accepted in the United States of America. MCC\xe2\x80\x99s financial\nstatements as of September 30, 2011 were audited by other auditors.\n\n\n\n\nU.S. Agency for International Development\nOffice of Inspector General\n1300 Pennsylvania Ave, NW\nWashington, DC 20523\nwww.usaid.gov/oig\n\x0cIn its audit of MCC\xe2\x80\x99s fiscal year 2012 financial statements the auditor\xe2\x80\x99s identified one issue that\nwas considered a material weakness and three other issues that were considered significant\ndeficiencies. These matters are listed below and are detailed in the auditor\xe2\x80\x99s report.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to\nprevent, or detect and correct misstatements on a timely basis. A material weakness is a\ndeficiency, or combination of deficiencies, in internal control, such that there is a reasonable\npossibility that a material misstatement of an entity's financial statements will not be prevented,\nor detected and corrected on a timely basis.\n\nMaterial Weakness\n\n       Ineffective and Inefficient Interrelationship among Software, Personnel, Procedures,\n       Controls and Data within MCC\xe2\x80\x99s Financial Management Systems\n\nA significant deficiency is a deficiency, or a combination of deficiencies, in internal control that is\nless severe than a material weakness, yet important enough to merit attention by those charged\nwith governance.\n\nSignificant Deficiencies\n\n       Validation Control over Grant Accrual Estimates Needs to be Strengthened\n\n       Monitoring Control over Funds Provided to MCAs Needs Improvement\n\n       Information Systems Controls Need Improvement\n\nThe auditors did not note any instance of material non-compliance with laws and regulations.\n\nIn carrying out its oversight responsibilities, the OIG reviewed CliftonLarsonAllen LLP, Internal\nAudit Report and audit documentation. This review, as differentiated from an audit in\naccordance with U.S. Generally Accepted Government Auditing Standards was not intended to\nenable the OIG to express, and we do not express, opinions on MCC\xe2\x80\x99s financial statements, or\ninternal control; or on MCC\xe2\x80\x99s compliance with other laws and regulations. CliftonLarsonAllen\nLLP is responsible for the attached auditor\xe2\x80\x99s report, dated November 15, 2012, and the\nconclusions expressed in the report. However, our review disclosed no instances where\nCliftonLarsonAllen LLP, did not comply, in all material respects, with applicable standards.\n\nTo address the material weakness and significance deficiencies in internal controls reported by\nCliftonLarsonAllen LLP, we are listing below the findings with 22 recommendations to MCC\xe2\x80\x99s\nmanagement:\n\n\nMaterial Weakness\n\nIneffective and Inefficient Interrelationship among Software, Personnel, Procedures,\nControls and Data within MCC\xe2\x80\x99s Financial Management Systems\n\n\n\n\n                                                  3\n\x0cRecommendations: With regards to the core financial system, we recommend that MCC:\n\n   1. Perform a comprehensive review and determine whether the service provider\xe2\x80\x99s financial\n      management system is substantially in compliance with the federal financial\n      management system\xe2\x80\x99s requirements and meeting MCC financial management and\n      reporting needs. As part of this review, management should determine if a separate\n      grants management system that focuses on program administrations that interfaces with\n      the core financial system is needed.\n\n   2. Investigate and correct the causes for the underlying system errors and limitations that\n      prevent or delay the recording, processing, and summarizing of accounting transactions.\n\n   3. Review USSGL transaction posting models so that all routine accounting transactions\n      are included in the normal accounting processes. Manual adjusting journal entries\n      should be used for limited transactions like unusual one-time entries. All valid recurring\n      entries that are currently entered manually should have standard transaction codes set-\n      up to prevent posting errors.\n\nWith regards to the workbook, we recommend that MCC:\n\n   4. Hard code key cells in the excel spreadsheets used in preparing and generating the\n      financial statements to prevent unintentional or inadvertent changes.\n\n   5. Limit access and ability to make changes to the workbook to a few personnel. Assign a\n      staff and a designate as primarily responsible and accountable for the workbook.\n\n   6. Create a log to document changes to the workbook, the date of change, the person\n      making the change, and the changes made.\n\n   7. Investigate the use of alternative approaches such as the use of a financial statement\n      generation software tool or other financial management system that can interface with\n      the trial balance or the core financial system and automatically generate the financial\n      statements.\n\nWith regards to supervisory reviews, we recommend that MCC:\n\n   8. Develop a comprehensive financial statements review process that details specific steps\n      performed, results of such reviews, steps taken to resolve discrepancies noted, and\n      related management resolution.\n\n   9. Implement an effective management review using the comprehensive review process\n      developed in recommendation 8 to ensure that all transactions for the accounting period\n      are accurately and completely reflected in the financial statements, current year\n      beginning balances agreed to prior year audited balances, and reconciling items are\n      recorded timely. Such management reviews should be performed quarterly and at year-\n      end timely with evidence of management sign-off signifying levels of reviews performed.\n\n\n\n\n                                               4\n\x0cWith regards to financial staff resource management, we recommend that MCC:\n\n   10. Cross-train MCC financial staff on the financial statements preparation process to\n       ensure that there is more than one person knowledgeable and can prepare the financial\n       statements.\n\nSignificant Deficiencies\n\nValidation Control over Grant Accrual Estimates Needs to be Strengthened\n\nRecommendations: We recommend that MCC:\n\n   11. Perform a grant accrual look back analysis on a quarterly basis. The look back analysis\n       and the results should provide MCC sufficient information to explain unusual variances\n       between actual and estimates, or support updating the current grant accrual\n       methodology. Such periodic assessment of the adequacy of the grant accrual\n       methodology should be documented and supported by data analysis. The accrued\n       liability amount is subject to the risks that actual subsequent disbursement amount may\n       be significantly different from management\xe2\x80\x99s estimate. When this occurs, management\n       should further analyze the drivers/factors to ensure the validity and reasonableness of\n       the estimation methodology.\n\n   12. Update the Expense Accruals Policy and Procedures to reflect the change in the\n       methodology.\n\n   13. Develop audit procedures for the MCA audit to compare spending authority request\n       amount against actual expenses, and investigate and document significant variances.\n       The results should be provided to MCC, which can use this information collected from\n       the MCA audits as data store to validate or enhance the current methodology.\n\n   14. Continue to enhance the accrual methodology.\n\n\nMonitoring Control over Funds Provided to MCAs Needs Improvement\n\nA. Audit Reports\n\nRecommendations:\n\n\n   15. MCC management should have control over how these audits should be conducted to\n       meet its financial and programmatic accountability, needs and requirements. MCC\n       management should collaborate with USAID OIG to clarify and document management\n       roles, responsibilities, and performance standards and the USAID OIG oversight role\n       with regards to MCA audits.\n\n   16. MCC needs to evaluate its resources, capability, and ability to monitor and review the\n       quality and performance of the audits and the audit firms to track and conduct follow-up\n       of corrective action plans with the MCAs in a timely manner.\n\n\n\n\n                                               5\n\x0cB. Final Quarterly Financial Report (QFR)\n\nRecommendations:\n\nWe recommend that MCC:\n\n   17. Utilize the QFRs and the monthly reconciliations as monitoring tools over the MCA\xe2\x80\x99s\n       financial reporting process and the MCC\xe2\x80\x99s validation of its financial records. To be\n       effective as monitoring tools, the re-designing of the QFR form and the development and\n       documentation of the monthly reconciliation process should ensure that relevant data\n       and information are reported by the MCAs and reported timely.\n\n   18. Ensure that MCA reconciliations are provided to MCC and reviewed to investigate\n       material variances and make corrections, if any.\n\n\n   19. Require the MCA audit firms to test the design and effectiveness of the MCA\xe2\x80\x99s internal\n       control over the QFRs and the monthly reconciliation, and to test for the accuracy of the\n       balances and reconciliation.\n\n   20. Develop and implement reconciliation procedures to document the complete\n       reconciliation between the MCA\xe2\x80\x99s final QFR and MCC\xe2\x80\x99s records.\n\nC. Expired Compacts Not Financially Closed-Out\n\nRecommendations:\n\nWe recommend that MCC:\n\n   21. Timely assess the MCA\xe2\x80\x99s need for the remaining compact funds so that the funds could\n       be de-obligated within the timeline in the policy and procedures after the compact\n       expires.\n\n   22. Develop and implement a financial management policy that separates the programmatic\n       close-out process from the financial close-out process. This policy should clearly layout\n       the expected timing for de-obligation.\n\nInformation Systems Controls Need Improvement\n\nRecommendation:\n\nWe are not repeating the recommendations which are included in the USAID OIG Report titled\n\xe2\x80\x9cAudit of Millennium Challenge Corporation\xe2\x80\x99s Fiscal Year 2012 Compliance with Federal\nInformation Security Management Act of 2002,\xe2\x80\x9d Audit Report M-000-13-001-P, dated\nNovember 6, 2012.\n\nIn finalizing the report, CliftonLarsonAllen LLP, evaluated MCC\xe2\x80\x99s response to the report and\nacknowledged that management decisions have been reached on all of the recommendations.\n\n\n\n\n                                               6\n\x0cMCC plans to complete its corrective actions by June 30, 2013, or have documented the\nappropriate timeline in which actions will be completed.\n\nThe OIG acknowledges MCC\xe2\x80\x99s management decisions for all 22 recommendations. Please\ninform us when final action has been achieved.\n\nWe appreciate the cooperation and courtesies extended to our staff and to the staff of\nCliftonLarsonAllen LLP, during the audit. Please contact Fred Jones at (202) 216-6963, if you\nhave any questions concerning this report.\n\n\n\n\n                                                          Sincerely,\n\n                                                                   /s/\n\n                                                          Richard J. Taylor\n                                                          Deputy Assistant Inspector General\n                                                          for Audit\n                                                          Millennium Challenge Corporation\n\n\n\n       cc:    Steven Kaufmann, Chief of Staff\n              kaufmannsm@mcc.gov\n\n              Chantale Wong, Vice President of Administration and Finance\n              wongcy@mcc.gov\n\n              Margaret Yao, Deputy Vice President of Administration and Finance\n              yaoml@mcc.gov\n\n              Patrick Fine, Vice President of Compact Operations\n              finepc@mcc.gov\n\n              Terry Bowie, Chief Financial Advisor\n              tlbowie@mcc.gov\n\n              Eric Redmond, Assistant Deputy Chief Financial Officer\n              redmondeg@mcc.gov\n\n              Arlene McDonald, Compliance Officer\n              mcdonalda@mcc.gov\n\n\n\n\n                                                7\n\x0c                     MILLENNIUM CHALLENGE CORPORATION (MCC)\n\n                                      September 30, 2012\n\n\n                                       Table of Contents\n\n\n\nDescription                                                                      Page\n\nINDEPENDENT AUDITOR\xe2\x80\x99S REPORT                                                        1\n\n    Exhibit 1 \xe2\x80\x93 Material Weakness                                                 1-1\n\n    Exhibit 2 \xe2\x80\x93 Significant Deficiencies                                          2-1\n\n    Exhibit 3 \xe2\x80\x93 Status of Prior Year\xe2\x80\x99s Audit Findings and Recommendations         3-1\n\n    Exhibit 4 \xe2\x80\x93 Management\xe2\x80\x99s Response to Findings Contained in the Independent\n      Auditor\xe2\x80\x99s Report                                                            4-1\n\n\nMCC ANNUAL FINANCIAL REPORT\n\x0c                                                                      CliftonLarsonAllen LLP\n                                                                      www.cliftonlarsonallen.com\n\n\n\n\n                             INDEPENDENT AUDITOR\xe2\x80\x99S REPORT\n\n\nTo the Inspector General\nU.S. Agency for International Development\n\nTo the Board of Directors\nMillennium Challenge Corporation\n\nWe have audited the accompanying balance sheet of the Millennium Challenge Corporation\n(MCC) as of September 30, 2012, and the related statements of net cost and changes in net\nposition, and the combined statement of budgetary resources (\xe2\x80\x9cfinancial statements\xe2\x80\x9d) for the\nyear then ended. The objective of our audit was to express an opinion on the fairness of these\nfinancial statements. In connection with our audit, we also considered the internal control over\nfinancial reporting and considered MCC\xe2\x80\x99s compliance with laws and regulations. In our audit, we\nfound:\n\n   \xef\x82\xb7   The financial statements are presented fairly, in all material respects, in conformity with\n       accounting principles generally accepted in the United States of America (U.S.);\n   \xef\x82\xb7   One material weakness and three significant deficiencies in internal control over financial\n       reporting and compliance with laws and regulations;\n   \xef\x82\xb7   No instance of reportable noncompliance with selected provisions of laws and\n       regulations tested.\n\nThe following sections and exhibits discuss in more detail: (1) above conclusions, (2)\nManagement\xe2\x80\x99s Discussion and Analysis (MD&A) and other accompanying information, (3)\nmanagement\xe2\x80\x99s responsibility for the financial statements, (4) our responsibility for the audit, (5)\nmanagement\xe2\x80\x99s response and our evaluation of their response, and (6) the current status of prior\nyear\xe2\x80\x99s findings and recommendations.\n\nOpinion on the Financial Statements\n\nIn our opinion, the financial statements referred to above, present fairly, in all material respects,\nthe financial position of MCC as of September 30, 2012 (FY 2012), and its net cost; changes in\nnet position; and budgetary resources for the year then ended in conformity with accounting\nprinciples generally accepted in the United States. The financial statements of MCC as of and\nfor the year ended September 30, 2011 (FY 2011) were audited by other auditors, whose report\ndated November 10, 2011, expressed an unqualified opinion on those financial statements.\nMCC reclassified certain financial statement line items of the combined statement of budgetary\nresources (SBR) for FY 2011 to be consistent with FY 2012 presentation in accordance with\naccounting principles generally accepted in the United States. The other auditors reported on\nthe financial statements before these reclassifications. We have audited the reclassifications in\nthe SBR. In our opinion, such reclassifications are appropriate and have been properly applied.\n\n\n\n\n                                                 1\n\x0cReport on Internal Control over Financial Reporting and Compliance\n\nIn planning and performing our audit, we considered MCC\xe2\x80\x99s internal control over financial\nreporting and compliance (internal control) as a basis for designing our auditing procedures for\nthe purpose of expressing our opinion on the financial statements, but not for the purpose of\nexpressing an opinion on the effectiveness of MCC\xe2\x80\x99s internal control or on management\xe2\x80\x99s\nassertion on internal control included in the MD&A. Accordingly, we do not express an opinion\non the effectiveness of MCC\xe2\x80\x99s internal control or on management\xe2\x80\x99s assertion on internal control\nincluded in the MD&A.\n\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to\nprevent or detect and correct misstatements on a timely basis. A material weakness is a\ndeficiency or a combination of deficiencies in internal control, such that there is a reasonable\npossibility that a material misstatement of the MCC\xe2\x80\x99s financial statements will not be prevented,\nor detected and corrected on a timely basis. A significant deficiency is a control deficiency, or\ncombination of deficiencies in internal control that is less severe than a material weakness, yet\nimportant enough to merit attention by those charged with governance.\n\nOur consideration of internal control was for the limited purpose described above and was not\ndesigned to identify all deficiencies in internal control that might be significant deficiencies or\nmaterial weaknesses. However, we identified a combination of deficiencies in internal control\ndescribed in Exhibit 1 that we consider to be a material weakness and other deficiencies\ndescribed in Exhibit 2 that we consider to be significant deficiencies.\n\nAlso, as required by Office of management and Budget (OMB) Bulletin 07-04, Audit\nRequirements for Federal Financial Statements, as amended, we compared the material\nweakness disclosed during the audit with those material weaknesses reported in the MCC\xe2\x80\x99s\nFederal Managers Financial Integrity Act (FMFIA) report that relate to the financial statements.\nOur audit did not identify any material weakness that were not identified by MCC in their FMFIA\nreport.\n\nWe also noted non-reportable matters that we communicated to MCC and will include in a\nseparate management letter to MCC to be dated November 12, 2012.\n\nReport on Compliance and Other Matters\n\nIn connection with our audit, we performed tests of MCC\xe2\x80\x99s compliance with selected provisions\nof applicable laws and regulations. The results of our tests disclosed no instances of\nnoncompliance that are required to be reported in accordance with Government Auditing\nStandards, issued by the Comptroller General of the United States or OMB Bulletin 07-04, as\namended. However, the objective of our audit was not to provide an opinion on compliance with\nlaws and regulations. Accordingly, we do not express such an opinion.\n\nStatus of Prior Year\xe2\x80\x99s Audit Findings and Recommendations\n\nWe have reviewed the status of MCC\xe2\x80\x99s corrective actions with respect to the findings and\nrecommendations included in prior year\xe2\x80\x99s Independent Auditor\xe2\x80\x99s Report dated November 10,\n2011. The status of prior year\xe2\x80\x99s findings and recommendations is presented in Exhibit 3.\n\n\n\n\n                                                2\n\x0cOther Information\n\nAccounting principles generally accepted in the U.S. require that MCC\xe2\x80\x99s MD&A be presented to\nsupplement the financial statements. Such information, although not a part of the financial\nstatements, is required by the Federal Accounting Standards Advisory Board who considers it to\nbe an essential part of financial reporting for placing the financial statements in an appropriate\noperational, economic, or historical context. We have applied certain limited procedures to the\nMD&A in accordance with auditing standards generally accepted in the U.S., which consisted of\ninquiries of management about the methods of preparing the information and comparing the\ninformation for consistency with management's responses to our inquiries, the financial\nstatements, and other knowledge we obtained during our audit of the financial statements. We\ndo not express an opinion or provide any assurance on the information because the limited\nprocedures do not provide us with sufficient evidence to express an opinion or provide any\nassurance.\n\nOther information included in the Annual Financial Report, other than the financial statements,\nMD&A, and the Independent Auditor\xe2\x80\x99s Report is presented for additional analysis and is not a\nrequired part of the financial statements. Such information has not been subjected to the\nauditing procedures applied in the audit of the financial statements and, accordingly, we express\nno opinion on them.\n\nManagement\xe2\x80\x99s Responsibility for the Financial Statements\n\nMCC management is responsible for (1) preparing the financial statements in conformity with\naccounting principles generally accepted in the U.S., (2) designing, implementing, and\nmaintaining internal control to provide reasonable assurance that the broad control objectives of\nFMFIA are met, and (3) complying with other applicable laws and regulations.\n\nAuditor\xe2\x80\x99s Responsibility\n\nWe are responsible for conducting our audit in accordance with auditing standards generally\naccepted in the U.S.; the standards applicable to the financial audits contained in Government\nAuditing Standards, issued by the Comptroller General of the United States; and OMB Bulletin\n07-04, as amended. Those standards require that we plan and perform the audit to obtain\nreasonable assurance about whether the financial statements are presented fairly, in all material\nrespects, in conformity with accounting principles generally accepted in the U.S. We are also\nresponsible for: (1) obtaining a sufficient understanding of internal control over financial\nreporting and compliance to plan the audit, (2) testing compliance with selected provisions of\nlaws and regulations that have a direct and material effect on the financial statements, and laws\nfor which OMB Bulletin 07-04 requires testing, (3) performing limited procedures with respect to\ncertain other information appearing in the published Annual Financial Report.\n\nIn order to fulfill these responsibilities, we (1) examined, on a test basis, evidence supporting the\namounts and disclosures in the financial statements; (2) assessed the appropriateness of the\naccounting policies used and the reasonableness of significant estimates made by\nmanagement; (3) evaluated the overall presentation of the financial statements; (4) obtained an\nunderstanding of MCC and its operations, including its internal control related to financial\nreporting (including safeguarding of assets) and compliance with laws and regulations (including\nexecution of transactions in accordance with budget authority); (5) evaluated the effectiveness\nof the design of internal control; (6) tested the operating effectiveness of relevant internal\ncontrols over financial reporting and compliance; (7) considered the design of the process for\n\n\n                                                 3\n\x0cevaluating and reporting on internal control and financial management systems under FMFIA;\n(8) tested compliance with selected provisions of certain laws and regulations. The procedures\nselected depend on the auditor\xe2\x80\x99s judgment, including our assessment of risks of material\nmisstatement of the financial statements, whether due to fraud or error. We believe we obtained\nsufficient and appropriate audit evidence on which to base our conclusions.\n\nWe did not evaluate all internal controls relevant to operating objectives as broadly defined by\nthe FMFIA, such as those controls relevant to preparing statistical reports and ensuring efficient\noperations. We limited our internal control testing to controls over financial reporting and\ncompliance. Because of inherent limitations in internal control, misstatements due to error or\nfraud, losses, or noncompliance may nevertheless occur and not be detected. We also caution\nthat projecting our audit results to future periods is subject to risk that controls may become\ninadequate because of changes in conditions or that the degree of compliance with controls\nmay deteriorate. In addition, we caution that our internal control testing may not be sufficient for\nother purposes.\n\nWe did not test compliance with all laws and regulations applicable to MCC. We limited our tests\nof compliance to selected provisions of laws and regulations that have a direct and material\neffect on MCC\xe2\x80\x99s financial statements and those required by OMB Bulletin 07-04 that we deemed\napplicable to MCC\xe2\x80\x99s financial statements for the fiscal year ended September 30, 2012. We\ncaution that noncompliance with laws and regulations may occur and not be detected by these\ntests and that such testing may not be sufficient for other purposes.\n\nMCC\xe2\x80\x99s Comments and our Evaluation\n\nManagement concurred with all our findings and recommendations. Management\xe2\x80\x99s response to\nour report is presented in Exhibit 4.\n\n                                  *********************************\n\nThis report is intended solely for the information and use of MCC management, U.S. Agency for\nInternational Development (USAID) Office of Inspector General, OMB, the Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be, and should not\nbe, used by anyone other than these specified parties.\n\nCLIFTONLARSONALLEN LLP\n\n\n\n\nArlington, Virginia\nNovember 12, 2012\n\n\n\n\n                                                 4\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 1\n                                  September 30, 2012\n\nMATERIAL WEAKNESS\n\n1. Ineffective and Inefficient Interrelationship among Software, Personnel, Procedures,\n   Controls and Data within MCC\xe2\x80\x99s Financial Management Systems\n\nGAO Standards for Internal Control in the Federal Government states that internal control is not\none event, but a series of actions and activities that occur throughout an entity\xe2\x80\x99s operations and\non an ongoing basis. Control activity, which is one of the standards for internal control, may be\napplied in a computerized information system environment, or through manual processes.\nInformation system control should be installed at an application\xe2\x80\x99s interfaces with other systems\nto ensure that all inputs are received and are valid, and outputs are correct and properly\ndistributed. Some control activities include: controls over information processing, management\nof human capital, proper execution of transactions and events, accurate and timely recording of\ntransactions and events, and appropriate documentation of transactions. Monitoring, which is\nanother standard for internal control, is performed continually and is ingrained in the agency\xe2\x80\x99s\noperations. It includes regular management and supervisory activities, comparisons,\nreconciliations, and other actions people take in performing their duties.\n\nAccounting is a systematic process of identifying, recording, measuring, classifying, verifying,\nsummarizing, interpreting and communicating financial events. These financial events are\nultimately presented in financial statements through the financial reporting process. Each step in\nthe accounting process is an integral part of the financial reporting process.\n\nA financial management system includes the core financial system and the financial portions of\nmixed systems necessary to support financial management, including automated and manual\nprocesses, procedures and controls, data, software, and support personnel dedicated to the\noperation and maintenance of system functions.\n\nMCC has made significant progress this year by developing and implementing a grant accrual\nmethodology which will be the foundation for future enhancements. MCC has also reduced\nsome manual processes in its financial statements preparation where financial data and new\naccounts are no longer manually entered and financial data are now automatically populating all\nstatements, including new accounts. However, MCC needs to continue to strengthen its\nfinancial reporting processes and controls. The interrelationship among software, personnel,\nprocedures, controls and data within MCC\xe2\x80\x99s financial management systems (both manual and\nautomated) is ineffective and inefficient as described below:\n\n   a. MCC uses a shared services provider (SSP) to process its accounting transactions. The\n      SSP\xe2\x80\x99s core financial system current configurations prevent MCC from recording\n      significant transactions in a systematic manner. Our review of the September 30, 2012\n      SSP\xe2\x80\x99s open system ticket report, which tracks financial system issues, identified issues\n      that remain unresolved for an unreasonable period of time. Due to the volume and\n      variety of transactional financial events that MCC must record relating to its grantees;\n      MCC frequently has to prepare manual adjustments at the back end of the transactions\n      to correct errors such as the differences between the a) Purchase Order (PO) and\n      General Ledger (GL) module, b) Accounts Payable (AP) and GL module, c) incorrect\n      postings, d) system interface errors, and e) others. This system deficiency, combined\n      with inadequate and untimely corrective actions, negatively impact MCC\xe2\x80\x99s ability to\n      record transactions timely, properly, and accurately. Although MCC applied\n\n\n\n                                               1-1\n\x0c                    MILLENNIUM CHALLENGE CORPORATION\n                  INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 1\n                             September 30, 2012\n\n   compensating controls to detect and correct these errors, with the sheer volume and\n   complexity of these transactions (automated and manual), there is a high risk that errors\n   will not be detected and corrected timely or not detected at all. Our audit identified\n   instances where this situation occurred. Moreover, this system deficiency negatively\n   impacts MCC\xe2\x80\x99s limited staff resources.\n\n   OMB Circular A-127, Financial Management Systems, which is the government-wide\n   policies and standards issued pursuant to FMFIA, states that agencies are responsible\n   for managing their financial management system even when they utilize a service\n   provider to implement, operate and maintain the systems. Agencies must ensure that\n   their financial management systems meet applicable Federal requirements and are\n   adequately supported throughout the systems\xe2\x80\x99 life cycle. Furthermore, agencies must\n   monitor the service provider\xe2\x80\x99s performance and ensure that service failures are resolved\n   promptly.\n\nb. Although MCC has made strides in improving its financial reporting process by\n   implementing certain quality control review processes in response to prior year\xe2\x80\x99s\n   findings, much still need to be done. MCC\xe2\x80\x99s financial statements preparation process\n   continues to be manually intensive and susceptible to errors even though certain\n   functionalities have been automated. MCC uses a complex excel workbook (workbook)\n   to generate its financial statements. Trial balances from the core financial system and\n   USAID are cut and pasted into the workbook. Manual journal entries and on-top\n   adjustments (OTAs) are also posted into the workbook. The workbook then\n   automatically generates the financial statements from these data inputs. Due to system\n   issues described in 1.a. above, the trial balance generated by the core financial system\n   did not have the prior year final audited balances. Therefore, MCC has to post OTAs\n   pertaining to prior year to correct beginning balances. In addition, MCC posts similar\n   OTAs but for the current year to adjust or correct ending balances. These beginning and\n   ending balances OTAs are posted into the workbook each time the financial statements\n   are prepared (quarterly). Our audit identified instances where MCC missed posting\n   beginning balances OTAs and manual journal entries into the workbook at June 30,\n   2012 and September 30, 2012.\n\nc. The workbook utilized in the preparation of the financial statements did not have data\n   edit lock and data change control. The workbook is accessible to many personnel\n   including temporary financial personnel outside of key MCC financial staff, each having\n   the ability to make changes to the workbook. In addition, due to the complexity of the\n   spreadsheets in the workbook with various unprotected formulas and linkages, the risks\n   of data manipulation and/or unintended data changes can introduce errors that would be\n   difficult to detect and may be left undetected. Moreover, due to lack of documented\n   supervisory review of the workbook, we could not verify that supervisory reviews were\n   performed.\n\nd. In reviewing the June 30, 2012 financial statements, we identified errors that led us to\n   question the effectiveness of supervisory reviews, or the implementation of these\n   reviews due to lack of documented evidence of reviews.\n\n\n\n\n                                          1-2\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 1\n                                 September 30, 2012\n\n   e. Internal control is effected by people. It is not merely about policy manuals, systems, and\n      forms, but about people at every level of an organization that impact internal control.\n      Good human capital policies and practices are critical internal control environmental\n      factors. We understand that MCC has limited staff and has to use temporary year-end\n      financial staff who may not be familiar with the inner working of MCC operations. In\n      addition, MCC relies heavily on contract staff in the preparation and generation of the\n      financial statements. The contract staff holds immense institutional knowledge in the\n      inner workings of MCC\xe2\x80\x99s business transactions and various \xe2\x80\x9cfixes or adjustments\xe2\x80\x9d\n      required for financial reporting and financial statement preparation. MCC runs the risk of\n      not being able to produce fairly presented financial statements timely without these key\n      contract staff.\n\nRecommendations\n\nWith regards to the core financial system, we recommend that MCC:\n\n   1. Perform a comprehensive review and determine whether the service provider\xe2\x80\x99s financial\n      management system is substantially in compliance with the federal financial\n      management system\xe2\x80\x99s requirements and meeting MCC financial management and\n      reporting needs. As part of this review, management should determine if a separate\n      grants management system that focuses on program administrations that interfaces with\n      the core financial system is needed.\n\n   2. Investigate and correct the causes for the underlying system errors and limitations that\n      prevent or delay the recording, processing, and summarizing of accounting transactions.\n\n   3. Review USSGL transaction posting models so that all routine accounting transactions\n      are included in the normal accounting processes. Manual adjusting journal entries\n      should be used for limited transactions like unusual one-time entries. All valid recurring\n      entries that are currently entered manually should have standard transaction codes set-\n      up to prevent posting errors.\n\nWith regards to the workbook, we recommend that MCC:\n\n   4. Hard code key cells in the excel spreadsheets used in preparing and generating the\n      financial statements to prevent unintentional or inadvertent changes.\n\n   5. Limit access and ability to make changes to the workbook to a few personnel. Assign a\n      staff and a designate as primarily responsible and accountable for the workbook.\n\n   6. Create a log to document changes to the workbook, the date of change, the person\n      making the change, and the changes made.\n\n   7. Investigate the use of alternative approaches such as the use of a financial statement\n      generation software tool or other financial management system that can interface with\n      the trial balance or the core financial system and automatically generate the financial\n      statements.\n\n\n\n\n                                              1-3\n\x0c                       MILLENNIUM CHALLENGE CORPORATION\n                     INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 1\n                                September 30, 2012\n\nWith regards to supervisory reviews, we recommend that MCC:\n\n   8. Develop a comprehensive financial statements review process that detail specific review\n      steps performed, results of such reviews, steps taken to resolve discrepancies noted,\n      and related management resolution.\n\n   9. Implement an effective management review using the comprehensive review process\n      developed in recommendation 8 to ensure that all transactions for the accounting period\n      are accurately and completely reflected in the financial statements, current year\n      beginning balances agreed to prior year audited balances, and reconciling items are\n      recorded timely. Such management reviews should be performed quarterly and at year-\n      end timely with evidence of management sign-off signifying levels of reviews performed.\n\nWith regards to financial staff resource management, we recommend that MCC:\n\n   10. Cross-train MCC financial staff on the financial statements preparation process to\n       ensure that there is more than one person knowledgeable and can prepare the financial\n       statements.\n\n\n\n\n                                            1-4\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                  September 30, 2012\n\nSIGNIFICANT DEFICIENCIES\n\n2. Validation Control over Grant Accrual Estimates Needs to be Strengthened\n\nMCC reported approximately $1.1 billion in compact grant related expenditures and an accrued\ngrant liability of $106 million for expenditures incurred by the Millennium Challenge Accounts\n(MCAs) but not yet paid by MCC at September 30, 2012. MCC applied its new grant accrual\nmethodology for the first time at September 30, 2012. The first three quarters\xe2\x80\x99 financial\nstatements accruals were based on data calls. MCC revised its methodology in an effort to\nimprove and streamline the accrual process employed in prior year. MCC recognized that prior\nyear grant accrual process, which involved data calls from the MCAs, was based on the best\ninformation available at the time. However, this manual process was cumbersome, time\nconsuming, labor intensive, time sensitive, and inconsistent, thus contributing to a high risk for\nerrors. To help MCC reassess this process, MCC hired an audit and consulting firm to provide a\ndetailed analysis and make recommendations on the appropriate methodology for the grant\naccrual estimate.\n\nMCC new accrual methodology is calculated based on an MCA\xe2\x80\x99s unused spending authority.\nMCC approves a quarterly spending authority in advance for each MCA. The unused spending\nauthority at the end of the quarter is used in the accrual calculation for each MCA. MCC uses\nthe MCA disbursement rate against the spending authority along with the disbursement rates for\nthe last three quarters to determine an average rate. The average rate is then subtracted\nagainst 100 percent to arrive at a rate that is applied to the unused spending authority in\ncalculating the grant accrual estimate for the MCA.\n\nIn reviewing the calculation of the accrual estimates and the supporting documentation, we\nnoted many instances of calculation errors, use of incorrect spending authority, incorrect\nformulas, omitted calculations, and missing documentation. Also, there was no documentation\nof look back analysis and investigations of unusual fluctuations, if any, to validate the\nreasonableness of the accrual estimates. An accrual look back analysis involves reviewing past\naccrual estimates and analyzing whether the past estimates are reasonable when compared to\nthe actual. We understand that this is a new methodology and MCC has not had an opportunity\nto update its Expense Accrual Policy and Procedures and perform a robust validation process.\n\nFASAB Federal Financial Accounting Technical Release (TR) 12, Accrual Estimates for Grant\nPrograms, states that \xe2\x80\x9cAs part of agencies\xe2\x80\x99 internal control procedures to ensure that grant\naccrual estimates for the basic financial statements were reasonable, agencies should validate\ngrant accrual estimates by comparing the estimates with subsequent grantee reporting.\xe2\x80\x9d\n\nRecommendations\n\nWe recommend that MCC:\n\n   11. Perform a grant accrual look back analysis on a quarterly basis for a sufficient period of\n       time to develop a pattern or trend. The look back analysis and the results should provide\n       MCC sufficient information to explain unusual variances between actual and estimates,\n       or support updating the current grant accrual methodology. Such periodic assessment of\n       the adequacy of the grant accrual methodology should be documented and supported by\n       data analysis. Note that the accrued liability amount is subject to the risks that actual\n\n\n\n                                               2-1\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                 September 30, 2012\n\n       subsequent disbursement amount may be significantly different from management\xe2\x80\x99s\n       estimate. When this occurs, management should further analyze the drivers/factors to\n       ensure the validity and reasonableness of the estimation methodology.\n\n   12. Update the Expense Accruals Policy and Procedures to reflect the change in the\n       methodology. At a minimum, the policy and procedures should include the following:\n\n           a. documentation of the procedures and flow of information used in developing\n              grant accrual estimates;\n           b. a discussion of who (position title) is responsible for each step of the estimate as\n              well as the review and approval process followed;\n           c. the model used, the rationale for selecting the specific methodology, and, for\n              programs with sufficient historical data, the degree of calibration within the\n              projected spending model;\n           d. the sources of information, the logic flow, and the mechanics of the model,\n              including the formulas and other mathematical functions.\n\n   13. Develop audit procedures for the MCA audit to compare spending authority request\n       amount against actual expenses, and investigate and document significant variances.\n       The results should be provided to MCC, which can use this information collected from\n       the MCA audits as data store to validate or enhance the current methodology.\n\n   14. Continue to enhance the accrual methodology by considering the following:\n\n           a. stratifying the MCAs based on variances in their spending rates and/or stages in\n              the compact\xe2\x80\x99s life cycle;\n           b. addressing situations where the MCA exceeds its quarterly spending authority;\n           c. addressing situations where the compact has expired and there is no spending\n              authority and disbursements are still occurring;\n           d. obtaining detailed document level breakdown of expenses to be used to compare\n              against the accrual estimates;\n           e. other factors as deemed necessary to achieve an acceptable precision of the\n              accrual estimate.\n\n3. Monitoring Control over Funds Provided to MCAs Needs Improvement\n\nOMB Circular A-123, Management Responsibility for Internal Control, states that monitoring the\neffectiveness of internal control should occur in the normal course of business. In addition,\nperiodic reviews, reconciliations or comparisons of data should be included as part of the\nregular assigned duties of personnel. Periodic assessments should be integrated as part of\nmanagement\xe2\x80\x99s continuous monitoring of internal control, which should be ingrained in the\nagency\xe2\x80\x99s operations. If an effective continuous monitoring program is in place, it can level the\nresources needed to maintain effective internal controls throughout the year.\n\nAn adequate monitoring system oversees the design, implementation, and effectiveness of\ncontrols in mitigating risks. This monitoring system can be structured as an ongoing assessment\nprogram (for instance, supervisory reviews of day to day financial operations and reporting) or\nas a point in time program when a point in time assessment is required (for instance, MCA\naudits).\n\n\n\n                                               2-2\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                 September 30, 2012\n\nWhen a country is awarded a grant (compact), it sets up its own local MCA accountable entity to\nmanage and oversee all aspects of implementing the compact. The MCAs, as the grantees of\nMCC\xe2\x80\x99s funds, are responsible for submitting financial, programmatic and compliance\ndocumentation to MCC in accordance with their compact agreements with MCC and other\nadministrative requirements. MCC, as the grantor, is responsible for reviewing and monitoring\nthe MCA\xe2\x80\x99s compliance with the compact agreement and other administrative requirements.\nMCC needs to continue to strengthen its monitoring controls over the funds provided to the\nMCAs.\n   A. Audit Reports\n\n       MCAs are required to obtain an annual (or semi-annual as agreed upon) financial audit\n   of the MCC funds by an independent auditor. We reviewed the audits covering the last two\n   years for 13 MCAs, which accounted for a total of 25 MCA audit reports. Similar to last\n   year\xe2\x80\x99s finding, 20 out of 25 (or 80 percent) audit reports were not received timely or were\n   already due but not yet received as of July 20, 2012, our test date. There were 15 audit\n   reports that were submitted late, ranging from 2 months to 9 months late, and 5 audit reports\n   due but not yet received ranging from 1 month to 3 months late as of the test date.\n       A financial audit of the MCA Fund Accountability Statement conducted by an\n   independent auditor in accordance with Government Auditing Standards issued by the\n   Comptroller General of the United States, provides an assurance to MCC that the MCA\xe2\x80\x99s\n   revenues received, costs incurred, and commodities and technical assistance directly\n   procured by the MCC are not materially misstated, and that tests of MCA\xe2\x80\x99s internal control\n   and compliance with compact terms and applicable laws and regulations related to MCC\n   funded programs were performed. The MCA financial audit is a key MCC internal control\n   over monitoring of MCA\xe2\x80\x99s control over financial reporting and compliance and its reliance on\n   MCA\xe2\x80\x99s financial reports. Accordingly, MCC should ensure that these audits are performed\n   and submitted timely, reviewed timely, and corrective actions, if any, are implemented\n   timely.\n       A timely audit involves the timely engagement of an audit firm by the MCA, an agreed\n   upon timeline that ensures that the deliverables are provided within the deadlines, quality\n   deliverables from the audit firms, and timely responses from the MCA and the audit firms.\n   MCC has the monitoring responsibility over the audit process, and the USAID OIG has the\n   oversight responsibility over the MCC\xe2\x80\x99s monitoring process. The USAID OIG provides\n   oversight by reviewing both the initial and the close-out planning documents received from\n   the MCAs. We understand that both USAID OIG and MCC are working together to minimize\n   the delays in the MCA audits, but more can be done to address the root causes of these\n   delays.\n\nRecommendations\n\n   15. Monitoring the timeliness, completeness, effectiveness, and implementation of corrective\n       action plans of the MCA audits is ultimately MCC management responsibility. MCC\n       management should have control over how these audits should be conducted to meet its\n       financial and programmatic accountability, needs and requirements. USAID OIG has the\n       oversight responsibility to ensure that MCC management\xe2\x80\x99s monitoring of MCA audits are\n       designed properly and operating effectively. We recommend therefore, that MCC\n       management collaborate with USAID OIG to clarify and document management roles,\n\n\n\n                                             2-3\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                 September 30, 2012\n\n      responsibilities, and performance standards and the USAID OIG oversight roles with\n      regards to these MCA audits.\n\n   16. MCC needs to evaluate its resources, capability, and ability to monitor and review the\n       quality and performance of the audits and the audit firms to track and conduct follow-up\n       of corrective action plans with the MCAs in a timely manner.\n\n   B. Final Quarterly Financial Report (QFR)\n\n        MCC requires the MCA to submit a Schedule C (CPS payments only) of the QFR (final\n   QFR) 30 days prior to the program closure date to ensure that the MCA and the MCC books\n   are reconciled prior to the submission of the final financial report. We reviewed two MCAs\n   that closed in fiscal year 2012 by comparing the award amount, disbursement amount, and\n   the remaining balance from the final QFR to what MCC reported. The final QFRs were\n   received from the MCAs in February and May of 2012. Our review disclosed that the total\n   disbursements and compact balance amounts reported by the MCAs in their final QFRs\n   differed between $1 million and $3.5 million from the MCC reported amounts. In one of the\n   MCAs we reviewed, MCC indicated that it has not prepared a reconciliation. In another MCA\n   we tested, MCC provided a spreadsheet that included payment information from the core\n   financial system. There was no clear documentation of a comparison made between the\n   MCA and MCC records, differences noted, and the resolution of differences, if any.\n   However, there were comments throughout the spreadsheet that seemed to indicate no\n   support for some payments, some duplicate payments that have not been resolved, some\n   incorrect payment amounts, and payments made to the wrong fund.\n\n       MCC requires the MCA to perform a monthly reconciliation of the CPS monthly\n   Summary Report (of disbursements) from the MCC core financial system to the MCA\xe2\x80\x99s\n   accounting records. Corrections are processed through the use of a Payment Inquiry Form\n   (PIF) to address discrepancies and resolve them with the SSP. MCC receives copies of the\n   PIF and a monthly certification letter from the MCA stating that reconciliation was performed\n   and that the MCA records agree with the MCC records. The actual reconciliation is not\n   provided to MCC or to the SSP.\n\n       MCC is not taking advantage of important tools in monitoring the MCAs\xe2\x80\x99 financial\n   reporting process and validating its financial records. It has not established formal\n   procedures for how the MCAs should document and report their monthly reconciliation of the\n   compact award and expenses. Documented reconciliations will help to expedite the compact\n   close out process. MCC also has not established formal procedures for how the\n   reconciliation to the MCA final QFR is to be documented and the timeline for completion.\n\nRecommendations\n\nWe recommend that MCC:\n\n   17. Utilize the QFRs and the monthly reconciliations as monitoring tools over the MCA\xe2\x80\x99s\n       financial reporting process and the MCC\xe2\x80\x99s validation of its financial records. To be\n       effective as monitoring tools, the re-designing of the QFR form and the development and\n       documentation of the monthly reconciliation process should ensure that relevant data\n       and information are reported by the MCAs and reported timely.\n\n\n\n                                               2-4\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                  September 30, 2012\n\n   18. Ensure that MCA reconciliations are provided to MCC and reviewed to investigate\n       material variances and make corrections, if any.\n\n   19. Require the MCA audit firms to test the design and effectiveness of the MCA\xe2\x80\x99s internal\n       control over the QFRs and the monthly reconciliation, and to test for the accuracy of the\n       balances and reconciliation.\n\n   20. Develop and implement reconciliation procedures to document the complete\n       reconciliation between the MCA\xe2\x80\x99s final QFR and MCC\xe2\x80\x99s records.\n\n   C. Expired Compacts Not Financially Closed-Out\n\n       As of June 30, 2012, there were six compacts that expired, but were not financially\n   closed-out. The final audit report is due 120 days after the compact end date. The time that\n   has expired since that due date ranges from 5 months to 17 months with a total unliquidated\n   obligations balance of over $17 million. Untimely de-obligation of funds results in misstated\n   balances or misclassified funds in the statement of budgetary resources.\n\nRecommendations\n\nWe recommend that MCC:\n\n   21. Timely assess the MCA\xe2\x80\x99s need for the remaining compact funds so that the funds could\n       be de-obligated within the timeline in the policy and procedures after the compact\n       expires.\n\n   22. Develop and implement a financial management policy that separates the programmatic\n       close-out process from the financial close-out process. This policy should clearly layout\n       the expected timing for de-obligation.\n\n4. Information Systems Controls Need Improvement\n\nAll business processes today are impacted in some respects by information systems\napplications, policies, and controls. Information system is key to financial information collection,\nclassification, allocations, and reporting.\n\nInformation systems controls must be in place to ensure that critical data, transactions and\nprograms are processed in a timely manner. These include controls over MCC\xe2\x80\x99s general\nsupport system used to gain access to the contractor owned financial applications. Our\nevaluation of the general and application controls of MCC\xe2\x80\x99s key information technology\ninfrastructure identified the following control weaknesses, taken together, constitute a significant\ndeficiency.\n\nSecurity Management\n\n   \xef\x82\xb7   MCC needs to strengthen personnel out-processing procedures. MCC personnel exit\n       checklists were not maintained in the Staff Track and Reconciliation System (STARS) as\n       required in the MCC Exit Policy and Clearance Procedures. Additionally, while the new\n       exit process had been announced and the technology implemented, the process had not\n\n\n\n                                                2-5\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                  September 30, 2012\n\n       been adopted by the stakeholders involved: Human Resources, Contracts, and Office of\n       Security.\n\n   \xef\x82\xb7   MCC did not properly assess system risks on the agency\xe2\x80\x99s general support system,\n       MCCNet and MIDAS system for the fiscal year. For example:\n\n          o   MCC did not maintain a current Authorization to Operate (ATO) for the MCCNet\n              General Support System. The ATO expired on June 8, 2012, without MCC\n              completing a reauthorization of the system.\n          o   MCC did not perform a security impact assessment prior to moving its data\n              center.\n          o   MCC did not complete a risk assessment to reflect the new data center. The last\n              revision to the risk assessment was dated June 8, 2009.\n\n       In addition, a current risk assessment for the MIDAS system was not completed on an\n       annual basis.\n\n   \xef\x82\xb7   MCC needs to conduct system security assessments as specified by the National\n       Institute of Standards and Technology (NIST). The fiscal year 2012 security assessment\n       for MCCNet reviewed only two control families from NIST Special Publication 800-53,\n       Revision 3: Access Controls and Media Protection. However, the assessment was not in\n       accordance with the NIST Special Publication 800-37, Revision 1, risk management\n       framework and continuous monitoring.\n\n   \xef\x82\xb7   MCC needs to ensure all personnel receive security awareness training. MCC did not\n       track users who failed to participate in the daily Tips of the Day. In addition, MCC did not\n       establish a required number of tips a user must view each month or year.\n\n   \xef\x82\xb7   MCC did not fully implement NIST Special Publication 800-53, Revision 3 into its\n       information system security policies. MCC was in the process of updating the Policy;\n       however, it was not finalized.\n\n   \xef\x82\xb7   The MCCNet system security plan did not accurately reflect the current information\n       system environment.\n\nContingency Planning\n\n   \xef\x82\xb7   MCC did not perform testing of the MCCNet contingency plan for Fiscal Year (FY) 2012.\n       The last test was conducted in February of 2011; however, the test results and lessons\n       learned were not formally documented and reported until November 2011.\n\nAccess Controls\n\n   \xef\x82\xb7   MCC needs to periodically review network accounts. MCC did not perform quarterly\n       reviews of MCCNet group memberships as documented within the MCC Access Control\n       Procedures. In addition, MCC did not review network accounts of users that had never\n       logged into system.\n\n\n\n\n                                               2-6\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                 September 30, 2012\n\nConfiguration Management\n\n   \xef\x82\xb7   MCC needs to strengthen security controls surrounding patch and configuration\n       management. MCC had procedures in place that use vulnerability scanning software to\n       assist in detecting and reporting security vulnerabilities. However, our evaluation\n       identified critical and high vulnerabilities on MCC hosts that MCC did not identify through\n       its scans.\n\n   \xef\x82\xb7   MCC did not effectively track and maintain their asset inventory. Asset management\n       personnel did not follow a set of documented procedures for how to manage the asset\n       inventory. In addition, MCC did not conduct periodic wall-to-wall asset inventories.\n\n   \xef\x82\xb7   MCC did not have documented change management procedures that describe types of\n       changes and levels of testing applied to the changes prior to approval by the\n       Configuration Control Board.\n\nThese findings highlight the MCC\xe2\x80\x99s lack of compliance with the NIST publications, OMB\nCirculars, and FISMA requirements as listed below:\n\nOMB Circular A-130, Management of Federal Information Resources, Appendix III, states\n\xe2\x80\x9cAgencies shall implement and maintain a program to assure that adequate security is provided\nfor all agency information collected, processed, transmitted, stored, or disseminated in general\nsupport systems and major applications.\xe2\x80\x9d\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires that each agency\ndevelop an agency-wide information security program that includes:\n\n   \xef\x82\xb7   Periodic assessments of risk, including the magnitude of harm that could result from the\n       unauthorized access, use, disclosure, disruption, modification, or destruction of\n       information and information systems that support the operations and assets of the\n       organization;\n   \xef\x82\xb7   Policies and procedures that are based on risk assessments, cost-effectively reduce\n       information security risks to an acceptable level and address information security\n       throughout the life cycle of each organizational information system;\n   \xef\x82\xb7   Plans for providing adequate information security for networks, facilities, information\n       systems, or groups of information systems, as appropriate;\n   \xef\x82\xb7   Security awareness training to inform personnel of the information security risks\n       associated with their activities and their responsibilities in complying with organizational\n       policies and procedures designed to reduce these risks;\n   \xef\x82\xb7   Periodic testing and evaluation of the effectiveness of information security policies,\n       procedures, practices, and security controls to be performed with a frequency depending\n       on risk, but no less than annually;\n   \xef\x82\xb7   A process of planning, implementing, evaluating, and documenting remedial actions to\n       address any deficiencies in the information security policies, procedures, and practices\n       of the organization;\n   \xef\x82\xb7   Procedures for detecting, reporting, and responding to security incidents; and\n   \xef\x82\xb7   Plans and procedures for continuity of operations for information systems that support\n       the operations and assets of the organization.\n\n\n\n                                               2-7\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 2\n                                 September 30, 2012\n\nBy not effectively implementing and enforcing IT policies and procedures, there is an increased\nrisk that financial and sensitive information may be inadvertently or deliberately misused and\nmay result in improper disclosure or theft without detection.\n\nRecommendation\n\nWe are not repeating our recommendations which are included in the USAID OIG Report titled\n\xe2\x80\x9cAudit of Millennium Challenge Corporation\xe2\x80\x99s Fiscal Year 2012 Compliance with Federal\nInformation Security Management Act of 2002,\xe2\x80\x9d Audit Report M-000-13-001-P, dated November\n6, 2012.\n\n\n\n\n                                             2-8\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 3\n                                  September 30, 2012\n\nSTATUS OF PRIOR YEAR\xe2\x80\x99S FINDINGS AND RECOMMENDATIONS\n\nAs required by Government Auditing Standards and OMB Bulletin No. 07-04, as amended, we\nhave reviewed the status of MCC corrective actions with respect to the findings and\nrecommendations included in MCC\xe2\x80\x99s Report on Internal Control for FY 2011. The following\nanalysis provides our assessment of the progress MCC has made through September 30, 2012\nin correcting the noted deficiencies.\n\n FY 2011 Findings             FY 2011 Recommendations                      FY 2012 Status\n\n I. MCC\xe2\x80\x99s Financial    1. Develop and document a financial             Partially Closed.\n    Reporting Needs       reporting process that reduces the           Financial Reporting\n    Improvement \xe2\x80\x93         likelihood of errors, inconsistencies, and   Process still in draft.\n    Material              inaccuracies and results in efficiencies     Some conditions\n    Weakness              and effectiveness, consistency, and          identified in FY 2011\n                          accuracy of financial data.                  still exist in FY 2012\n                                                                       and are reported as\n                                                                       MW.\n                       2. Enhance the quality control process to       Partially Closed. Some\n                          detect errors or improper closeout of        conditions identified in\n                          accounts through additional check totals,    FY 2011 still exist in FY\n                          training, and involvement of additional      2012 and are reported\n                          A&F staff members.                           as MW.\n II. Controls over     3. Develop an appropriate MCC data store        Partially Closed. Some\n     MCC Accrued          of MCA expense information as required       conditions identified in\n     Expenses,            by TR 12.                                    FY 2011 still exist in FY\n     Retentions, and                                                   2012 and are reported\n     Advances Need                                                     as Significant\n     Improvement \xe2\x80\x93                                                     Deficiency (SD).\n     Material\n     Weakness (MW)\n                       4. Perform similar data validation employed     Closed \xe2\x80\x93 New accrual\n                          at year-end for each quarter going           methodology adopted\n                          forward.                                     in FY 2012\n                       5. Prepare an MCC developed estimate for                Closed\n                          accrued expenses based upon statistical\n                          modeling or alternative that is based on\n                          MCC obtained data.\n                       6. Record advances in accordance with                   Closed\n                          generally accepted accounting principles.\n                       7. Develop and implement a periodic                     Closed\n                          reconciliation process for advances.\n                       8. Develop and implement a quarterly                    Closed\n                          certification for advance transactions\n                          processed by the MCAs as part of the\n                          quarterly data call submission.\n\n\n\n\n                                              3-1\n\x0c                         MILLENNIUM CHALLENGE CORPORATION\n                       INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 3\n                                  September 30, 2012\n\n                       9. Modify MCA audit requirements to include        Partially Closed. MCC\n                          testing and reporting of advances               proposed changes to\n                          transactions.                                   MCA Audit Guide to\n                                                                          address the testing and\n                                                                          reporting of advances\n                                                                          transactions. However,\n                                                                          the changes have not\n                                                                          been finalized and\n                                                                          implemented by the\n                                                                          MCAs.\nIII. MCA Required      10. Collaborate with the OIG and provide the                Closed\n     Documentation,        MCA auditors with a document discussing\n     including Audit       the issues/errors that have led to delays in\n     Reports,              processing and clearing the audit plans\n     Quarterly             and audit reports in a timely manner.\n     Disbursement\n     Requests and\n     Compact\n     Closure Plans\n     are not\n     Submitted,\n     Reviewed,\n     and/or Approved\n     in a Timely\n     Manner \xe2\x80\x93\n     Significant\n     Deficiency (SD)\n                       11. Provide comprehensive guidance to              Recommendation\n                           MCAs regarding the procurement of firms        Closed. However,\n                           to perform the FAS audits with a focus on      certain conditions\n                           timeliness and completeness of the audit       identified in FY 2011\n                           deliverables and potential penalties.          still exist in FY 2012\n                                                                          and are reported as\n                                                                          SD.\n                       12. Continue to collaborate with the OIG to        Recommendation\n                           improve communications regarding audit         Closed. However,\n                           status and solutions to moving individual      certain conditions\n                           audits to completion on a timely basis.        identified in FY 2011\n                                                                          still exist in FY 2012\n                                                                          and are reported as\n                                                                          SD.\n                       13. Reiterate the program requirements that        Recommendation\n                           QDRs are to be accurate and complete           Closed. However,\n                           and submitted within the required              certain conditions\n                           timelines and provide them with                identified in FY 2011\n                           information about issues/things that cause     still exist in FY 2012\n                           delays.                                        and are reported as\n                                                                          management letter\n                                                                          (ML)\n\n\n                                               3-2\n\x0c                        MILLENNIUM CHALLENGE CORPORATION\n                      INDEPENDENT AUDITOR\xe2\x80\x99S REPORT EXHIBIT 3\n                                 September 30, 2012\n\n                      14. Review their current guidelines for         Recommendation\n                          submission of CCPs to determine if the      Closed. However,\n                          timelines is reasonable and realistic. In   certain conditions\n                          addition, DCO should work closely with      identified in FY 2011\n                          MCAs to develop and compile a compact       still exist in FY 2012\n                          closure plan and resolve any outstanding    and are reported as\n                          items in advance of compact closure.        ML.\nIV. Reconciling       15. Continue to follow USAID\xe2\x80\x99s progress         Recommendation\n    Fund Balance          towards elimination of cash balance         Closed. However, the\n    with Treasury \xe2\x80\x93       differences between USAID and Treasury      condition still exist in\n    SD                    and timely clearing of suspense account     FY 2012 and is\n                          items in order to monitor MCC\xe2\x80\x99s risks of    reported as ML.\n                          potential misstatements.\n\n\n\n\n                                             3-3\n\x0c                                                                                                 Exhibit 4\n\n\n\n    *\nMILLENNIUM\nCHALLENGE CORPORATION\nUNITED STATES OF AMERICA\n\n\n\n        November 13,2012\n\n        Mia Leswing, CPA, CISA, CGFM, Partner\n        CliftonLarsonAllen, LLP\n        4250 N. Fairfax Drive\n        Suite 1020\n        Arlington, VA 22203\n\n        Richard J. Taylor\n        Deputy Assistant Inspector General!Audit\n        Millennium Challenge Corporation\n        140 I H Street, NW, Suite 770\n        Washington, DC 20005\n\n        Dear Ms. Leswing and Mr. Taylor:\n\n        MCC has reviewed the draft audit report received November 9,2012. In response to audit findings\n        characterized as material weaknesses and significant deficiencies, as well as the associated\n        recommendations, MCC has the following comments:\n\n        Material Weakness: Ineffective and Inefficient Interrelationship Among Software, Personnel,\n        Procedures, Controls and Data within MCG's Financial Management Systems\n\n        Recommendations from the auditors:\n           I. Perform a comprehensive review and determine whether the service provider's financial\n              management system is substantially in compliance with the federal financial management\n              systems' requirements and meeting MCC needs. As part of this review determine if a\n              separate grants management system that focuses on program administration that interfaces\n              with the core financial system is needed.\n           2. Investigate and correct the causes for the underlying systems errors and limitations that\n              prevent or delay the recording, processing, and summarizing of accounting transactions.\n           3. Review USGGL transaction posting models so that all routine accounting transactions are\n              included in the normal accounting processes. Manual adjusting journal entries should be\n              used for limited transactions like one-time entries. All valid recurring entries that are\n              currently entered manually should have transaction codes set-up to prevent posting errors.\n           4. Hard code key cells in the excel spreadsheets used in preparing and generating the financial\n              statements to prevent unintentional or inadvertent changes.\n           5. Limit access and ability to make changes to the workbook to a few personnel. Assign a staff\n              and a designate as primarily responsible and accountable for the workbook.\n           6. Create a log to document changes to the workbook, the date of change, the person making the\n              change, and the changes made.\n           7. Investigate the use of alternative approaches such as the use of a financial statement\n              generation software tool or other financial management system that can interface with the\n              trial balance or the core financial system and automatically generate the financial statements.\n\n\n    875 Fifteenth Street NW I   Washington. DC I   20005-2221 I   p: (202) 521-3600 I f: (202) 521-3700   I www.mcc.gov\n\n                                                          4-1\n\x0c   8. Develop a comprehensive financial statements review process that details specific steps\n       performed, results of such reviews, steps taken to resolve discrepancies noted, and related\n       management resolution.\n   9. Implement an effective management review using the comprehensive review process\n       developed in recommendation 8 to ensure that all transactions for the accounting period are\n       accurately and completely reflected in the financial statements, current year beginning\xc2\xb7\n       balances agreed to prior year audited balances, reconciling items are recorded timely and\n       others. Such management reviews should be performed quarterly and at year-end timely with\n       evidence of management sing-off signifying levels of reviews performed.\n   10. Cross-train MCC financial staff on the financial statements preparation process to ensure that\n       there is more than one person knowledgeable and can prepare the financial statements.\n\nResponse from MCC:\nMCC concurs with recommendations 1 through 10.\n\nSignificant Deficiency: Validation Control over Grant Accrual Estimates Needs to be\nStrengthened\nRecommendations from the auditors:\n    11. Perform the grant accrual look back analysis on a quarterly basis. The look back analysis\n        methodology and results should provide MCC sufficient information to explain unusual\n        variances between actual and estimates, or support updating th,i: current grant accrual\n        methodology. Such periodic assessment of the adequacy ofth~ grant accrual methodology\n        should be documented and supported by data analysis. The liability amount is subject to risk\n        that actual subsequent disbursement account may be significantly different from\n        management's estimate. When this occurs, management should further analyze the\n        drivers/factors to ensure the validity and reasonableness ofthe estimation methodology.\n    12. Update the Expense Accruals Policy and Procedures to reflect the change in the\n        methodology.\n    13. Consider developing audit procedures for the MCA audit to compare spending authority\n        request amount against actual expenses, and investigate and document significant variances.\n        The results should be provided to MCC and used this information collected from the MCA\n        audits as data store to validate or enhance the current methodology.\n    14. Continue to enhance the accrual methodology.\n\nResponse from MCC:\nMCC concurs with recommendations 11 through 14.\n\nSignificant Deficiency: Monitoring Control over Funds Provided to Millennium Challenge\nAccounts (MCAs) Needs Improvement\n\nRecommendations from the auditors:\n   15. MCC management should have control over how these audits should be conducted to meet\n       its financial and programmatic accountability, needs and requirements. MCC management\n       should collaborate with USAID OIG to clarify and document management roles,\n       responsibilities, and performance standards and the USAID OIG oversight roles with regards\n       to MCA audits.\n   16. MCC needs to evaluate its resources, capability, and ability to monitor and review the quality\n       and performance of the audits and the audit firms, to track and conduct follow-up of\n       corrective action plans with the MCAs.\n   17. Utilize the QFRs and the monthly reconciliations as monitoring tools over the MCA's\n       financial reporting process and validating MCC's financial records. To be effective\n\n                                            4-2\n\x0c         monitoring tools, the re-designing of the QFR form and the development and documentation\n         of the monthly reconciliation process should ensure that relevant data and information are\n         reported by the MCAs and reported timely.\n   18.   Ensure that MCA reconciliations are provided to MCC and reviewed to investigate material\n         variances and make corrections, if any.\n   19.   Require the MCA audit firms to test the design and effectiveness of the MCA's internal\n         control over the QFRs and the monthly reconciliation and to test for the accuracy of the\n         balances and reconciliation.\n   20.   Develop and implement reconciliation procedures to document the complete reconciliation\n         between the MCA's final QFR and MCC's records.\n   21.   Timely assess the MCA's needs for the remaining compact funds so that the funds could be\n         de-obligated within the timeline in the policy and procedures after the compact expires.\n   22.   Develop and implement a financial management policy that separates the programmatic\n         close-out process from the financial close-out process. T.his policy should clearly layout the\n         expected timing for de-obligation.\n\nResponse from MCC:\nMCC concurs with recommendations 15 through 22.\n\nSignificant Deficiency: Information Systems Controls Need Improvement\nRecommendations from the auditors:\n    23. Repeat recommendations from the FISMA Report.\n\nResponse from MCC:\nMCC concurs with recommendations in the FISMA Report\n\nMCC will be addressing each recommendation as part of a comprehensive corrective action plan\nbeginning in the first quarter ofFY 2013 with the intent to develop and implement necessary changes\nas soon as possible.\n\nSincerely,\nMILLENNIUM CHALLENGE CORPORATION\nBy:\nChantale Wong /s/\nVice President, Administljition and Finance, and\nChief Financial Officer\nMillennium Challenge Corporation\n\n\n\n\n                                               4-3\n\x0cU.S. Agency for International Development\n       Office of Inspector General\n       1300 Pennsylvania Ave, NW\n         Washington, DC 20523\n           Tel: (202) 712-1150\n           Fax: (202) 216-3047\n           www.usaid.gov/oig\n\x0c"